Recovery - Permitting affected systems back into the production environment (and watching them closely)

Lessons Learned - Writing everything down and reviewing and analyzing with all team members so you can improve future incident response efforts

Here are three examples from the front lines of incident response that can help you at each phase as you build out your plan.

On Defining Success Incident Response Success

There are many levels of success in defensive work… the common wisdom is that the attacker only has to be right once, but the defender has to be right every time, but that’s not always true.

Attacks are not all-or-nothing affairs - they happen over time, with multiple stages before final success.

To remain undetected against an attentive defender, it is the attacker who must make every move correctly; if an astute defender detects them even once, they have the possibility to locate and stop the whole attack.

You aren't going to immediately detect everything that happens during an attack - but as long as you detect (and correctly identify) enough of an attack to stop it in its tracks, that’s success.

Don’t Panic. Stay Focused.

Execution is key - the range of ways to attack a target can seem limitless - expecting to be an expert on all of them is pointlessly unrealistic.

The most important part of incident response is to handle every situation in a way that limits damage, and reduces recovery time and costs.

At the end of the day, that’s how you’ll be measured on a job well done… not that you’ve covered every angle of every potential vulnerability.

Start with Simple Steps. Attackers are Lazy.

Attackers have technical and economic imperatives to use the minimum amount of effort and resources to breach their targets - the more you remove the low-hanging fruit on your network, the more you raise the actual level of work an attacker has to expend to successfully infiltrate it.

AlienVault has recently created a 5 chapter eBook titled the Insider’s Guide to Incident Response that goes further into fundamental strategies that can help you create an efficient and effective incident response plan.